本博客将创建一个用户devuser(自定义)只能管理demo空间
# 下载证书生成工具
cd /root
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl
chmod +x /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl-certinfo
mkdir /root/devuser
vi devuser-csr.json
{
"CN": "devuser",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangZhou",
"L": "GuangZhou",
"O": "k8s",
"OU": "System"
}
]
}
cd /etc/kubernetes/pki #找到集群证书及私钥ca.crt ca.key
cfssl gencert -ca=ca.crt -ca-key=ca.key -profile=kubernetes /root/devuser/devuser-csr.json | cfssljson -bare devuser
#执行上一条命令后,会在/etc/kubernetes/pki生成devuser.csr devuser-key.pem devuser.pem 三个文件
输出内容:
2022/01/03 16:27:01 [INFO] generate received request
2022/01/03 16:27:01 [INFO] received CSR
2022/01/03 16:27:01 [INFO] generating key: rsa-2048
2022/01/03 16:27:01 [INFO] encoded CSR
2022/01/03 16:27:01 [INFO] signed certificate with serial number 183318846060115252175414421649635047300497396132
2022/01/03 16:27:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/kubernetes/pki/ca.crt \
> --embed-certs=true \
> --server=https://192.168.3.81:6443 \
> --kubeconfig=devuser.kubeconfig
# 输出:Cluster "kubernetes" set.
kubectl config set-credentials devuser \
> --client-key=devuser-key.pem \
> --client-certificate=devuser.pem \
> --embed-certs=true \
> --kubeconfig=devuser.kubeconfig
#输出:User "devuser" set.
kubectl config set-context kubernetes \
> --cluster=kubernetes \
> --user=devuser \
> --kubeconfig=devuser.kubeconfig
# 输出: Context "kubernetes" created.
kubectl config use-context kubernetes --kubeconfig=devuser.kubeconfig
# 输出:Switched to context "kubernetes".
kubectl create rolebinding devuser-admin-binding --clusterrole=admin --user=devuser --namespace=default
备注:–clusterrole=admin也可以重新创建角色。
cat devuser.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ERXhPREEyTXpVd05Wb1hEVE15TURFeE5qQTJNelV3TlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWdqCjh5MUlVWDl5U2ZKRzRtSEswSjc0aEJxQnN0T0hKejVxeXhsTEQ5eUZRN3dXRlFMNUp4cnp5eVRmQWNzN1FYeTYKOFdpQXJMK0hmY3dJRkVseklLYVZRZnRZemxxb1REeE1RRnI5YnN4VUN6ZldXZHhrWlRKaTQ3VDZ5dExFd1RWUwpNVUh2QVlMWnNzUVBhSEN3MTZTTCtGVHR6aHVUNUVVNkJvdWNONEZpbEN3VGlVTnlRNFNQYUxFN2o3dGc0ajdDCmZ1QkZwUXpOWnhZUHFIRTFWYXhsVVFoV2IrT0s4QTVTVmJVcCtablBiaEZTRHUxWHFpd29YK1gzNXZKazAveW8KMmpzenllSW9abFJwVTRKbnZWT0Y3NlJ4L0VZUHJqYlRpTkZJd1JiU3k2Tm1DL0hiNU4zUDZFSGo4UDBEejNUWAptVlBRbFlXQVBrWXZMbjAzaVA4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNU3Q3ZGU4bHdiZEoxSjQvOElBYktmSXgyVm1NQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCdGJTUHdvNE5QbjllekQwbE45cytaYVBreHVNMG5NTmJKUVd6aHdZaW9SVXBqcGVCTQpZMVdKTC9ZaHlzN2l4cU5kb0RUeFJxWnYrUHpiaUw0cHUzV0c1WHgwTmJvVE5BQ2w0Tno3dTRGMVpMWHpucmExCnN1aXh6b2s3T25aejFrSGpMUFNLL29wcjZLbER3M3pnRys4dkd5RURKYitiREhjVDVsdW5pQkQySkRzekJYb3MKemtXeXMzaWlMRTFCSnU3MUVPcnhkZDVQVVVPWEJoWXZkYW5FcWpDQVY4ckdWMVN0VTBuUjFOeDltR2taTDhaQgpWZDZhZDNSVjRJQ3lnUDRodDZ0T3FnNnRUMCtLUHArMlJaLzk2a0pYNUxRdUhwSFNucTdvVU1vZml1dFRSeVFYClBqZkZJdGFvWHRiQXNmVGtuaXBZS281MHM2ZDlJQmZFaFN4YwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.3.81:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: devuser
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: devuser
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpRENDQW5DZ0F3SUJBZ0lVZHpXcnhZR0JESVUzd0YzYnhIb1pPenFERHh3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTBNRFF4T0RFM01EQmFGdzB5TXpBMApNRFF4T0RFM01EQmFNR1l4Q3pBSkJnTlZCQVlUQWtOT01SSXdFQVlEVlFRSUV3bEhkV0Z1WjFwb2IzVXhFakFRCkJnTlZCQWNUQ1VkMVlXNW5XbWh2ZFRFTU1Bb0dBMVVFQ2hNRGF6aHpNUTh3RFFZRFZRUUxFd1pUZVhOMFpXMHgKRURBT0JnTlZCQU1UQjJSbGRuVnpaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQgpBUURRSkszWGNYT3F3QjE2a1ExbDdQaVNBektNU0pqRjZpMjNKNGNGdXZJejM3L0I3MmNEMFUrOFZCU2ViK2VOClRsOUpWNzhlQkdNc094MmU4elpvYmNUbklpV1hYUHlOT3F0OFpzOWpDUDVMdXEyN05RZHVKbkN2a0t0YzgrZTUKU2tpRVBjQ01vUUI1N2JEUFZqaFd2ck9KY3BoUk5KN3NiWmNzYlFkZ3NtUzA1RERSajNVa3kweVRTd2gvQW1XMwptWGlYSklBZnhmbFQ4VnhIdVJCYTNKUlhEakZ0eGR0aGUxc1lOcGFKYTQ5VnVaU2hyVlQrOGUzOUhGTjFsUC9UCjZPNDlxemhuNjQzSlRuRFVpZnVwUmZualFlTkxJKzJ6cHhreFNFSTJtYnllQyt4T285NUQyQ2doeHVHYUFGbzYKd1oreWphQWpQSUdlanlIVjlKUDlkZDVEQWdNQkFBR2pmekI5TUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVgpIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFCkZnUVVJYXNCbWhOWGJaUThlbWZkUjBxWUcycmtMdEl3SHdZRFZSMGpCQmd3Rm9BVXhLM3QxN3lYQnQwblVuai8Kd2dCc3A4akhaV1l3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUxxWitYeUoxREU3Uk95TFBwTmI1VXlkS09uWgpwSTV1UjBsVFRrTkd0bkNMNS8xV0lkMmJzTS9XSEFtamFMS1dWVjZ2RWpNZkMyOG1UdDc1K0NXeXlXT3VFdXhSCll2RFRSblhBbitHMDhoNjNmcjA5alpNcklKS2RqL1NqZ1NhUkpwR3ZqazVyM2o1M1NLVDhEekxvbXliOVBtS1MKU0IvOEdkenA3bEFiWTBlVlE5TUVjcjJiYjJBOStBZk9mU3Qwa1UvTUhITHhJdFpGbWZrWFE4dTRKdWpPZVZ1MgpCbmJEOCtyWFVNbU5IeUtGNjFVRlNiWVhrVDdtTUc2RmY2UHdCaFVZdEY5VWI5Z1Jod2liUzJZcnp4OGlaeWZICmdiM2R1MzZqa3ovWExTdFJEUE1rQzB5dm1WRjRQQXpURXZYanlyQkEzWTBaQ3FaWGVEVnhIY1EwQ3N3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMENTdDEzRnpxc0FkZXBFTlplejRrZ015akVpWXhlb3R0eWVIQmJyeU05Ky93ZTluCkE5RlB2RlFVbm0vbmpVNWZTVmUvSGdSakxEc2Rudk0yYUczRTV5SWxsMXo4alRxcmZHYlBZd2orUzdxdHV6VUgKYmlad3I1Q3JYUFBudVVwSWhEM0FqS0VBZWUyd3oxWTRWcjZ6aVhLWVVUU2U3RzJYTEcwSFlMSmt0T1F3MFk5MQpKTXRNazBzSWZ3Smx0NWw0bHlTQUg4WDVVL0ZjUjdrUVd0eVVWdzR4YmNYYllYdGJHRGFXaVd1UFZibVVvYTFVCi92SHQvUnhUZFpULzAranVQYXM0Wit1TnlVNXcxSW43cVVYNTQwSGpTeVB0czZjWk1VaENOcG04bmd2c1RxUGUKUTlnb0ljYmhtZ0JhT3NHZnNvMmdJenlCbm84aDFmU1QvWFhlUXdJREFRQUJBb0lCQVFDbW84YitScGw1S2dndgoyYk9sVjd5R2djTFZaMFhRcGpUbGZ1THQ1b2NFbXUxV0lnb1NsMkJFQWZqa0ErbVpTeGFrakhpNVduL2ZxSkNGCmNtaXI0TDRVNGxUQVF6VDdDTzdFVVRkV0xad1NHeW4rU0cxamRha2dGaTNyNUdZd0JWWGJjZWtYYmNzSTB4Q00KWHBZS2RQRWVhTDJqdmdKQ2ZWYmJ2WXA3a3pkblRocVpqOG9NMmJuV0UxdFJzK2RjamdpcnN6S0VITkUrMXJLRApyMjRycGlRM0hpK3Y1bHRwUEVLZ0JtYkFrejdEeURuTkdBWFd5YVcxbGg5cTdoMnZHaWIxdHJFTU9NVjdwUnhvCjJ6TTBiYkRuM0sycGpWbVJEajhxRlJvWTJVZk9JS1lGaTJpNVE1Ymt3NnpRcldqNENnZXg5WXVSaDFYZEVpaTcKckwxeFhUekpBb0dCQU5GYkpZWm5ZSS9wbWJDTlZjd0pNMkFScmxCcEU3cGp4cXNSTkdEblkybWxSVGRsUVMyMwpWUEFXYTNPdVJpWXB0cGk0ei9MNlRxakdMUW9aMTZ2UzFvU214OUEvL05Ddkk4RGRqZ1pPSlpCeVAwRnhMM0NNClhqVDMxWTdhRlFUUHhRSXd4OGtTRFRBeGVMZFFaanFMM00vQXF4Nk5SZnd5ZjAzNXNjVEhaWlNQQW9HQkFQNkUKWEhWZXNOeEtPNWNRZGNkY20rZnRWVFpxZmtsd2lSRC9QUnJ1aHQ5c2ZGUFNpVGdpZXJXaXljQm9BQVFXVWNENApDT0FRb2c3VTBVRi9kMlgyaGpBSldsL2FLN3AvNkRseFNqQnNmeUh1V3d4WFE2QjRtR29YQXFDaXdYV1F4T3V5ClR1ZlNHNXZwclVGbDRBcm1xVjN5Qm0yZ0NlbmdGZ1pqak9tRXhQME5Bb0dCQUpEamI3ancycGMrcUNyVDVjanIKcFM2YmpmUUFoTEsrVXNRWmlCSjRrUWlRWkxMTjFLbjY4MEdsZ24vdzRJT1E0dG9YTFhPUFg5aldMbDJMUFFPaApTdTFMTDRZa2dxYzZUcGd2dlJjSUJsOU5jaEdzYjVTSTBMbi91MEMrRlVYYk5SRXJDVmxTc09YbGx4SG5CcGtHCktxOXRQQUJNN1Y1NDVEbm0wT3pLd3JacEFvR0FIazJ1SUg5Y3VXM1JPSVJLTWFseUdxUWtZQzAveWdpdkdTbjYKb1lsQzM3a3YrRjc1M1lnbGFoanV3b3pmYTUwb3NMd1hlbTRnalhtRFRMUWJpRFZZOXNFMlZIRktnWk1YR0RmSAo2SW9TZlB5L05ISHphRmpUZE5ZMmh0KzUvd0Iwb2NlQ0k1SGRuYXV0NkRweitYaExOQmRMOHFONmFyRTJqaDR1Ck9lT0gvTVVDZ1lBQnZ5dHd6L3UyeE9HS2MvdW9CakFyVk1GU3BKdUJiNlllY1k5UjZYK1FRcmc4ZU55Z2RaaWMKeUIzaEtxL1poRWFBNlF1cG5qUkpxTUw3cWZ1WFhIZGpUcHZJWGxLalRVTGZpbzhHZnYrd1R1a3pFdUZCVDFqSwo5NzAwd0JXY1kzTy9SUzFBWFVMYjRCVjNXNVVJSTFLTDdkbG9kY01iNTF4L0J3aFk1ZGM1cEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
安装客户端:
yum install -y kubectl-1.18.6
客户端创建config目录
mkdir /root/.kube
从master拷贝/root/devuser/config过去客户端
scp devuser.kubeconfig [email protected]:/root/.kube/config
查看集群的命名空间default情况:
[root@k8s21-worker02 .kube]# kubectl get pod -n default
NAME READY STATUS RESTARTS AGE
busybox0403-5b4f44676f-jcbhp 0/1 CrashLoopBackOff 422 37h
busybox0403-648c58cd59-5wqp6 0/1 CrashLoopBackOff 443 37h
legacy-app 2/2 Running 3 29h
nginx0329-6f68f5ffd4-vdpxn 1/1 Running 1 6d4h
nginx0403-7d458bd795-d49zb 1/1 Running 1 38h
nginx0403-7d458bd795-hl94g 1/1 Running 0 38h
nginx0403-7d458bd795-p5fr6 1/1 Running 0 38h
nginx0403-7d458bd795-qbf8j 1/1 Running 0 38h
nginx0403-7d458bd795-qg56z 1/1 Running 0 38h
查看集群的命名空间kube-system情况:
# kubectl get pod -n kube-system
Error from server (Forbidden): pods is forbidden: User "devuser" cannot list resource "pods" in API group "" in the namespace "kube-system"
可见无权限。
k8s服务端增加以下:
kubectl create rolebinding devuser-admin-binding2 --clusterrole=admin --user=devuser --namespace=demo2